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5 FAM 740 
COOKIES 

(CT:IM-154; 09-17-2014) 
(Office of Origin: IIP/CSS) 

5 FAM 741 GENERAL POLICY 

(CT:IM-154; 09-17-2014) 

a. If cookies are used on Department web sites (see 5 FAM 742, Cookie Intranet 
Use and 743, Cookie Internet Use), the web site must display a privacy 
statement informing users that cookies are used at the site, whether any data 
being collected is stored, and for what purpose. 

b. If either persistent or session cookies are used for the purpose of collecting 
information, the requirements of 5 FAM 460, Privacy Act Requirements, must 
be met. 

c. There are other types of web site tracking technologies in use, such as web 
beacons, but this subchapter is focused exclusively on the use of cookies, as 
defined in 5 FAM 743. 

5 FAM 742 COOKIE INTRANET USE 

(TL:IM-33; 02-27-2002 

Both persistent and session cookies may be used on Department Intranet web 
sites. 

5 FAM 743 COOKIE INTERNET USE 

(CT:IM-154; 09-17-2014) 

a. Office of Management and Budget (OMB) Memorandum M-10-22 authorizes 
Federal agencies to use cookies or other tracking technologies on Department- 
hosted and managed public web sites, subject to certain conditions. 

b. There are two basic types of cookies: 

(1) Single-session: These technologies remember a user's online interactions 
within a single session or visit. Any identifier correlated to a particular user 
is used only within that session, is not later reused, and is deleted 
immediately after the session ends. OMB terms this use as tier 1; and 

(2) Multi-session: These technologies remember a user's online interactions 
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through multiple sessions. This approach requires the use of a persistent 

identifier for each user, which lasts across multiple sessions or visits. OMB 

defines two levels of multi-session technologies: 

(a) Tier 2: Multi-session that does not collect personally identifiable 
information (PII) and has no way to identify individual site visitors; 
and 

(b) Tier 3: Multi-session that also collects PII. In this situation, the user 
must opt-in. 

c. Single-session cookies may be used only if they retain the information during 
the session or for the purpose of completing a particular online transaction, 
without any capacity to track users over time and across different web sites. 

d. Department public web sites may use tier 2 and 3 persistent cookies when site 
managers ensure the site meets the conditions outlined in 5 FAM 743, 
paragraph e, and they obtain required approvals as described. Tier 2 persistent 
cookies may also be used through participation in the Federal Government's 
Digital Analytics Program, run by the General Services Administration (GSA). 

e. Mandatory requirements for using cookies or tracking technologies: 

(1) The site's privacy policy must notify site visitors that cookies are being 
used and provide a straightforward way for site visitors to opt-out of the 
cookies being placed on their devices. Opt-out options include: 

(a) Agency side opt-out: Use cookies to remember that a user has opted- 
out of all "other uses of such technologies on the relevant domain or 
application. Such uses are considered tier 2" (see 5 FAM Exhibit 734); 
and 

(b) Client side opt-out: Provide instructions to site visitors on how they 
can change their browser settings to prevent cookies from being set; 

(NOTE: If you use tier 3 cookies, users must opt-in) 

(2) Provide comparable information and access to opt-in and opt-out users; 

(3) Cite the relevant privacy impact assessment (PIA) and/or System of 
Records Notice (SORN) that discusses the use of any data collected 
through cookies, where appropriate. See SORN State-79 in the listing for 
the Digital Outreach and Communications SORN; 

(4) Keep the data gathered from cookies only as long as necessary to meet the 
objective for its collection and, per OMB, no longer than 1 year, unless a 
longer term is required by law, policy, or specific need for which the data 
contributes to program objectives. Strictly limit data access to only those 
who need it to perform their job functions. If the data collected is 
determined to be a Federal record, it must be archived in accordance with 
the General Record Schedule 20; 

(5) Store data in only one cookie per user; 
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(6) Do not track user activity outside the domain where the web site or 
application originates; 

(7) Do not share user activity with other institutions unless the user gives 
explicit consent to do so; 

(8) Do not cross-reference user data with PII to determine user activity unless 
the user gives explicit consent to do so; and 

(9) Ensure the provisions listed in 5 FAM Exhibit 743.1 are included in the 
privacy policy posted to the site(s) where cookies are in use. 

f. Recommended practices for cookie usage are described in the following list. 
Cookies should: 

(1) Be no larger than 4096 bytes; 

(2) Be encrypted with server side scripts (preferably salted hashes); 

(3) Be decrypted only on the server; 

(4) Have an expiration date no greater than 1 year unless a longer term is 
needed to meet legal requirements or specific program objectives; 

(5) Be used to collect site-specific activity such as the referring site; the pages 
the user visits and duration; return visits; the exit page; and/or visits to 
other sites the bureau or post manages; 

(6) Not contain user-specific identity information that is PII. If there is a 
business requirement to collect PII, you must follow the procedures in 5 
FAM 743, paragraph g; and 

(7) Use secure socket layer (SSL) encryption to transmit all user and session 
authentication information. This practice, along with server-created 
session IDs, helps avoid session hijacking. 

g. In addition to the requirements listed this section, multi-session cookies that 
gather PII (Tier 3) must meet these requirements: 

(1) The Senior Agency Official for Privacy (SAOP) must review and clear the 
use of Tier 3 cookies. This clearance does not constitute final approval; the 
Chief Information Officer (CIO) must give final approval (see 5 FAM 743, 
subparagraph g(3)); and 

(2) For notice and comment following SAOP review, for new proposals of Tier 3 
uses or substantive changes to existing uses of such technologies, you 
must: 

(a) Solicit comment through the Department's Open Government Web 
page for a minimum of 30 days. This notice must describe your 
proposed use of Tier 3 cookies, and include each of the required 
additions to agency privacy policies listed in Attachment 3 of 
Memorandum M-10-22 ; and 

(b) Review and consider substantive comments and make changes to your 
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intended use of Tier 3 cookies where appropriate; 

(NOTE: The CIO may, in writing, approve an exemption from the notice-and- 
comment process if it is reasonably likely to result in serious public harm) 

(3) The CIO must give explicit written approval for the use of Tier 3 cookies. 
This approval must be cited in the Department's Privacy Policy; and 

(4) Annually review Tier 3 cookie usage to determine if the data being 
collected is still needed to achieve program objectives. 

5 FAM 744 THIRD-PARTY COOKIE USE 

(CT:IM-154; 09-17-2014) 

a. OMB Memorandum M-10-23 (June 2010) provides the requirements Federal 
agencies must meet to protect the privacy of those who visit or interact with 
the agency on third-party platforms and applications. 

b. These platforms typically use multi-session cookies and the information they 
collect varies by platform. The Department cannot control this usage but must, 
to the extent possible, post a privacy notice to inform site visitors that they are 
subject both to the Department's privacy policy and that of the platform. To do 
this: 

(1) Post a link to the privacy policy at http://www.state.gov/misc/415.htm; 
and 

(2) Post the required standard Terms of Use for Department sites, which 
contains a privacy policy statement. See 5 FAM 793.4 for details. 

c. Comply with the branding requirement in 5 FAM 793.1. 

d. If you use a third-party tool to collect information from site visitors, you must: 

(1) Minimize collecting and storing personal information to only that which is 
needed for a specific Department function; 

(2) Post a privacy notice explaining what information is being collected, for 
what it is being used, and how long it will be stored. Ensure the user is not 
required to complete a questionnaire to obtain Department program 
information; 

(3) Keep in mind any associated records management requirements. Consult 
the Records Management staff at records@state.gov for assistance; and 

(4) Keep in mind that collecting information from the public may trigger the 
Paperwork Reduction Act. See 5 FAM 795.1, paragraph h, for details. 

5 FAM 745 THROUGH 749 UNASSIGNED 



UNCLASSIFIED (U) 



5 FAM 740 Page 4 of 5 



UNCLASSIFIED (U) 

U.S. Department of State Foreign Affairs Manual Volume 5 
Information Management 

5 FAM Exhibit 743 
OMB MEMORANDUM M-10-22 (JUNE 2010) 

(CT:IM-154; 09-17-2014 

Attachment 3 

Required Additions to the Agency Privacy Policy when Web Measurement and 
Customization Technologies are Used 

The following items must be added as part of the agency's online Privacy Policy, if 
they are not present, in any instance when Web measurement and customization 
technologies are used: 

i. The purpose of the Web measurement and/or customization technology; 

ii. The usage Tier, session type, and technology used; 

iii. The nature of the information collected; 

iv. The purpose and use of the information; 

v. Whether and to whom the information will be disclosed; 

vi. The privacy safeguards applied to the information; 

vii. The data retention policy for the information; 

viii. Whether the technology is enabled by default and why; 

ix. How to opt-out of the Web measurement and/or customization technology; 

x. Statement that opting-out still permits users to access comparable information 
or services; and 

xi. The identities of all third-party vendors involved in the measurement and 
customization process. 
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